JVNDB-2021-006117

Multiple vulnerabilities in IDEC PLCs

Multiple PLCs provided by IDEC Corporation contain multiple vulnerabilities listed below.

* Unprotected transport of credentials (CWE-523) - CVE-2021-37400
* Plaintext storage of a password (CWE-256) - CVE-2021-37401
* Unprotected transport of credentials (CWE-523) - CVE-2021-20826
* Plaintext storage of a password (CWE-256) - CVE-2021-20827

Khalid Ansari of FM Approvals reported these vulnerabilities to IDEC Corporation, and IDEC Corporation reported
the case to JPCERT/CC and coordinated in order to notify users of the solutions through JVN.

IDEC

• FC6A MICROSmart All-in-One CPU Module v2.32 and earlier
• FC6A MICROSmart Plus CPU Module v1.91 and earlier
• FC6B MICROSmart All-in-One CPU Module v2.31 and earlier
• FC6B MICROSmart Plus CPU Module v2.31 and earlier
• FT1A Controller SmartAXIS Pro/Lite v2.31 and earlier
• WindEDIT Lite v1.3.1 and earlier
• WindLDR v8.19.1 and earlier
• Data File Manager v2.12.1 and earlier

For more information, refer to the information provided by the developer.

* An attacker may obtain the user credentials from the communication between the PLC and the software. As a result, the PLC user program may be uploaded, altered, and/or downloaded. - CVE-2021-37400

* An attacker may obtain the user credentials from file servers, backup repositories, or ZLD files saved in SD cards. As a result, the PLC user program may be uploaded, altered, and/or downloaded. - CVE-2021-37401

* An attacker may obtain the PLC Web server user credentials from the communication between the PLC and the software. As a result, the complete access privileges to the PLC Web server may be obtained, and manipulation of the PLC output and/or suspension of the PLC may be conducted. - CVE-2021-20826

* An attacker may obtain the PLC Web server user credentials from file servers, backup repositories, or ZLD files saved in SD cards. As a result, the attacker may access the PLC Web server and hijack the PLC, and manipulation of the PLC output and/or suspension of the PLC may be conducted. - CVE-2021-20827

[Update the software]
Apply the appropriate software update according to the information provided by the developer.
* FC6A Series MICROSmart All-in-One CPU module v2.40 and later
* FC6B Series MICROSmart All-in-One CPU module v2.40 and later
* FC6A Series MICROSmart Plus CPU module v2.00 and later
* FC6B Series MICROSmart Plus CPU module v2.40 and later
* FT1A Series SmartAxix Pro/Lite v2.40 and later
* WindLDR v8.20.0 and later
* WindEDIT Lite v1.4.0 and later
* Data File Manager v2.13.0 and later

[Apply workarounds]
Applying the below workarounds may mitigate the impacts of these vulnerabilities.
* Restrict network appropriately to prevent the suspicious connection from untrusted devices
* Restrict the devices which can access PLCs
* Manage ZLD files appropriately

For more information, refer to the information provided by the developer.

IDEC

• IDEC : Vulnerability notification for IDEC PLC (in Japanese)

1. Unprotected Storage of Credentials(CWE-256) [Other]
2. Unprotected Transport of Credentials(CWE-523) [Other]

1. CVE-2021-37400
2. CVE-2021-37401
3. CVE-2021-20826
4. CVE-2021-20827

1. JVN : JVNVU#92279973
2. ICS-CERT ADVISORY : ICSA-22-006-03

• [2021/12/27]
    Web page was published
• [2022/1/11]
     References : Contents were added